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Abstract 

In this paper, we discuss coding theorems on a (2, 2)-threshold scheme in the presence of an opponent who 
impersonates one of the two participants in an asymptotic setup. We consider a situation where n secrets S" from 
a memoryless source is blockwisely encoded to two shares and the two shares are decoded to S" with permitting 
negligible decoding error. We introduce correlation level of the two shares and characterize the minimum attainable 
rates of the shares and a uniform random number for realizing a (2, 2)-threshold scheme that is secure against the 
impersonation attack by an opponent. It is shown that, if the correlation level between the two shares equals to an 
^ > 0, the minimum attainable rates coincide with H{S) + where H{S) denotes the entropy of the source, and 
the maximum attainable exponent of the success probability of the impersonation attack equals to £. We also give 
a simple construction of an encoder and a decoder using an ordinary (2, 2)-threshold scheme where the two shares 
are correlated and attains all the bounds. 

Index Terms 

Secret sharing scheme, threshold scheme, impersonation attack, correlated sources, hypothesis testing. 

I. Introduction 

A. Background and Motivations 

A secret sharing scheme [1], [2] is a well-known cryptographic technique that enables us to share a secret data 
among users. In (t, m)-threshold schemes, for example, a secret S is encoded to m shares, and the m shares are 
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(a) A (2, 2)-threshold scheme with an opponent who impersonates a participant who has a share X 
(impersonation attack) 
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(b) A (2, 2)-threshold scheme with an opponent who substitutes a share X for X (substitution attaclc) 



Fig. 1. Two (2, 2)-threshoId schemes with an opponent 



distributed to respective participants. Any t out of m participants can recover S, while t — 1 or fewer participants 
cannot obtain any information on S in the sense of unconditional security. 

In this paper, we focus on the secret sharing scheme in the presence of opponents. The objective of the opponents 
is cheating honest participants. That is, the opponents forge their shares and try to cheat the honest participants by 
injecting the forged shares in the recovery phase of S. This problem was firstly discussed by McEliece-Sarwate [3] 
and Karnin-Greene-Hellman [4] from the viewpoint of error-correcting codes. In particular, Karnin-Greene-Hellman 
[4] and Tompa-WoU [5] clarified that it is impossible to detect cheating in Shamir's secret sharing scheme [1]. In 
addition, a construction of a cheating-detectable secret sharing scheme is proposed in [5] as an extension of Shamir's 
secret sharing scheme although it is much inefficient. So far several schemes have been proposed to overcome such 
disadvantages [6]-[9]. In particular, Ogata-Kurosawa-Stinson [8] derived a lower bound on sizes of shares under a 
given maximum success probability e of cheating and the lower bound is attained if and only if a difference set 
exists. 

In cheating-detectable threshold schemes, the shares must satisfy unforgeablity as well as the ordinary require- 
ments as a threshold scheme. We can actually consider two types of attacks, impersonation attacks and substitution 
attacks, similarly to the attacks against secret-key authentication systems [10]. In the impersonation attack, opponents 
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Fig. 2. A system model of (2, 2)-threshold scheme with detectability of impersonation attacks 



intend to impersonate participants by injecting forged shares without using the legitimate shares. The impersonation 
attack is regarded as successful if the forged shares are accepted in a recovery phase of a secret. On the other hand, 
in the substitution attack, some of the participants are malicious and forge their shares by using their shares. The 
objective of the malicious participants is cheating honest participants who want to recover S from their shares. 

For instance. Figure 1 shows the two types of attacks against a (2, 2)-threshold scheme with two shares X and 
Y. We assume that the ordinary requirements as a (2, 2)-threshold schemes, H{S\X) = H{S\Y) = H(S) and 
H{S\XY) = 0, are satisfied. In Fig. 1(a) an opponent generates a forged share X without using X and Y and 
tries to impersonate participant 1 who have a share X. In Fig. 1(b) a participant with X forges X by using X, but 
not using Y. We assume that in both cases X is generated probabiUstically. Then, it is important to notice that, X 
is independent of {X,Y) in Fig. 1(a), while Y, X and X form a Markov chain in this order in Fig. 1(b). Thus, 
considering the two types of attacks against threshold schemes corresponds to giving two kinds of probabiUstic 
structures for all the shares including the forged share. 

Cheating-detectable secret sharing schemes are usually designed to detect substitution attacks [5]-[9] in a non- 
asymptotic setup, i.e., the decoding error is not allowed and the block coding is not considered. These studies treat 
the case where a coalition of more than one malicious participants generates forged shares. However, there exist 
the following drawbacks in cheating-detectable secret sharing schemes: 

• According to [8], it is easy to derive the lower bounds of share rates, i.e., information bits per secret needed 
to describe shares, under a given success probability of cheating. Unfortunately, however, this result implies 
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that the optimal share rates increase in order at least 1/e as e ^ 0, and hence, an arbitrarily small success 
probability of cheating cannot be reaUzed with fixed finite share rates. 
> An extension of Shamir's (t, TO)-threshold scheme in [5] can detect both substitution and impersonation attacks. 
This scheme is simple but inefficient from the viewpoint of share sizes. In addition, the optimal construction 
[8] is based on a combinatoric structure called a difference set, where the difference set exists only in limited 
cases and therefore restricts sizes of a secret and shares. Hence, even in a (2, 2)-threshold scheme, we cannot 
apply the optimal scheme to a secret S of arbitrarily given size. 

• Almost all constructions include the assumption that a secret is generated subject to a uniform probabihty 
distribution. This means that developing a near-optimum cheating-detectable secret sharing scheme for a secret 
subject to a non-uniform becomes another problem [9]. 

In this paper, we focus on the impersonation attack against a (2, 2)-threshold scheme. Since the impersonation 
attack is weaker than the substitution attack, the impersonation attack is rarely discussed especially in the framework 
of secret sharing schemes. However, if we discuss the threshold scheme secure against impersonation attack in a 
certain asymptotic setup, we can unveil another information-theoretic aspect. In fact, we can find connections to 
hypothesis testing, authentication codes and Shannon's cipher system. In a practical point of view, we can consider 
a situation where impersonation attack seems to be valid. Suppose that in a (2, 2)-threshold scheme one of the 
shares, say X, is a uniform random number that is independent of a secret S. In this case, the participants having 
X may generate X subject to a distribution close to the uniform distribution because analysis of X gives almost 
no information to the participant. 

B. Contribution of This Study 

In this paper, we formulate the problem of a threshold scheme secure against impersonation attacks in Shannon- 
theoretic asymptotic setup [11], [12], and unveil new features included in the problem. We consider a situation 
where n secrets that are generated from a discrete memoryless source are blockwisely encoded to two shares and 
the two shares are decoded to n secrets with permitting negligible decoding error. While we consider impersonation 
attacks, the asymptotic (2, 2)-threshold scheme treated in this paper has the following features which resolve the 
three drawbacks pointed above in cheating-detectable secret sharing schemes; 

« An exponentially small success probability of impersonation attack is realized under finite share rates if the 
blocklength is sufficiently large. 

• The scheme uses no combinatoric structure and is applicable to arbitrary size of a secret. 

• The probability distribution of a secret is arbitrary. In addition, the scheme can be applied to a more general 
class of sources. 

Specifically, we give coding theorems on the (2, 2)-threshold scheme for two cases of blockwise encoding 
and symbolwise encoding. In both cases we are interested in the minimum attainable rates for not only the two 
shares but also the uniform random number needed to a dealer for realizing a cheating-detectable (2, 2)-threshold 
scheme in an asymptotic sense. We also evaluate the maximum attainable exponent of the success probability 
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of the impersonation attack. It turns out that, if the two shares are correlated, we can easily realize the (2, 2)- 
threshold scheme in an asymptotic sense that is secure against the impersonation attack. This fact motivates us to 
define a notion of correlation level of the two shares as the limit of the normalized mutual information between 
the two shares. In a non-asymptotic setup, we note that correlated shares are firstly discussed in [13] based on a 
combinatorial argument. 

In the case of blockwise encoding, we consider an encoder that encodes n secrets 5*" = S'iS'2 • • • Sn blockwisely 
to two shares and y„ by using a uniform random number [/„, where throughout the paper the superscript n 
denotes the length and the subscripts n indicate dependency of n. The two shares X„ and y„ are decoded to S"" with 
decoding error probability P,j that satisfies P,j ^ as ?i ^ cx). The two shares are required to satisfy the security 
criteria I{S"; Xn)/n — > and I{S"; Yn)/n Q as n ^ 00, where /( • ; • ) denotes the mutual information. We 
can prove that, if the correlation level of the shares is equal to £, none of the rates of Xn, Yn and [/„ cannot be 
less than H{S) + I, where H{S) denotes the entropy of the source, and the exponent of the success probability 
of impersonation attack cannot be greater than (. {converse part). Furthermore, we can prove the existence of a 
symbolwise of pairs of an encoder and a decoder that attains all the bounds shown in the converse part {direct 
part). Both the claims of the direct and the converse parts are easily extend to the case where S*" is generated from 
a stationary ergodic source. 

In the case of symbolwise encoding, we consider an encoder that encodes n secrets 5" to two shares X" = 
X1X2 ■ ■ ■ Xn and y" = I1I2 • • • Yn of length n by using n uniform random numbers t/" = U1U2 ■ ■ ■ Un. In fact, 
X" and F" are generated by {Xi,Yi) — f{Si, Ui) for i ~ 1,2, . . . ,n, where / is an arbitrary deterministic encoder 
of an ordinary (2, 2)-threshold scheme satisfying H{S,\X,) = H{St\Y,) = H{S,) and H{Si\X,Y,) = 0. Denote 
by g a deterministic map satisfying Si ~ g{Xi, Yi). We choose an appropriate / so that {Xi, Yi), i ~ 1,2, ... ,n, 
can be regarded as i.i.d. correlated random variables. It is shown that we can realize a (2, 2)-threshold scheme in 
an asymptotic sense in which vanishes as n 00, X" and satisfy a stronger requirement on the secrecy 
/(S*"; X") = /(S'"; y") = and the exponent of the success probability of the impersonation attack is optimal. In 
the proof we construct a decoder of X" and F" by using g and a one-sided test for verifying the joint typicality 
of X" and y". This kind of symbolwise setup is first discussed in [14] for authentication code. 

C. Related Works, Organization 

The (2, 2)-threshold scheme secure against the impersonation attack is motivated from the Shannon-theoretic 
authentication codes [10], [14]-[16]. In particular, in [14] the authors discuss the maximum attainable error exponent 
on the success probability of the impersonation attack subject to the vanishing decoding error probability. However, 
the results given in this paper is more involved. In fact, in the framework of (2, 2)-threshold schemes we need 
to guarantee secrecy of a secret given one of the two shares. In addition, in this paper we succeeded in obtaining 
not only such a maximum exponent but also the minimum attainable sizes of the shares and the uniform random 
number. 

The (2, 2)-threshold scheme with detectability of impersonation attacks with the blockwise encoder can be viewed 
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as one version of Shannon's cipher system ( [17]-[21] etc.) when one of the shares is an output from a random 
number generator In a simple asymptotic setup of Shannon's cipher system [20], n plaintexts 5*" generated from 
a memoryless source are encrypted to a cryptogram Wn under a key C/„ and Wn is decrypted to S*" under the 
same key C/„ with permitting decoding error probability P^. The encoder and the decoder are required to satisfy 
and I{S'^;Wn)/n ^ as n oo. In this setup, the minimum attainable rates of the cryptogram and 
the key coincide with the entropy H{S) of the plaintext. The coding theorems given in this paper imply the same 
result under an additional requirement such that the correlation level of Wn and J7„ is equal to zero, i.e., £ ~ 0. 

The (2, 2)-threshold scheme with detectability of impersonation attacks with the symbolwise encoder is related to 
the problem of secret key agreement [21], [22]. In the secret key agreement problem of the source type model [22], 
two users have n outputs X" = X1X2 ■ ■ ■ X„ e A"" and — YiY2---Yn G 3^" from two correlated memoryless 
source, respectively, where {Xi^Yi), i = 1, 2, . . . , n are i.i.d. copies of {X,Y) E A" x 3^ subject to a joint probability 
distribution Pxy- The two user try to share a nearly uniform random number with the maximum rate I{X; Y) by 
public communications. On the contrary, the symbolwise encoder in the (2, 2)-threshold scheme with detectability 
of impersonation attacks can be interpreted as a generator of correlated random variables X" = X1X2 ■ ■ ■ X^ G X"" 
and y" = Y1Y2 ■ ■ - Yn & 3^" given independent random variables S*" and [/", where [Xi, Fj), i = 1, 2, . . . , n, are 
regarded as n i.i.d. copies of {X, Y) ^ Pxy- Since the correlation level X" and coincides with I{X-, Y), the 
minimum attainable rate of J7" turns out to be H{S) + I{X]Y). That is, we need an extra cost of I{X;Y) in 
order to generate correlated two shares. 

The rest of this paper is organized as follows: In Section II, a (2, 2)-threshold scheme with detectability of 
impersonation attacks with correlation level i in an asymptotic setup is formulated. The coding theorems for the 
blockwise encoder are given in Section III. Section IV is devoted to the proofs of the coding theorems. A construction 
of encoders and decoders based on a non-asymptotic (2, 2)-threshold scheme and its optimality are discussed in 
Section V. 

II. Problem Setting 

We consider a (2, 2)-threshold scheme depicted in Fig. 2. Assume for an integer n > 1 that a source generates 
an n-tuple of secrets 5" = 8182 - ■ ■ 8n independently subject to a probability distribution P5 on a finite set S. 
Denote by Pgn the probability distribution of 5" induced by Ps, and let (s") be the probability that 5" = s" 
for an s" G 5". Since the source is memoryless, it holds that P5n(s") ~ Y\!i=iPs{si) for all n > 1 where 
S" = S1S2 • • • s„. 

In Fig. 2, let [/„ be the random variable subject to the uniform distribution on a finite set Un- Assume that Un 
is independent of S"". In this paper, we use the subscript n to indicate dependency of n, while the superscript n 
implies the length. We denote by Pij„ a probability distribution of J7„, i.e., it holds that Pu„{un) = l/|Z^ri| for all 
Un G Un where | • | denotes the cardinality. 

An encoder is defined as a deterministic map (pn x Un — ^ x 3^n, where Xn and 3^„ are finite sets in 
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which shares Xn and y„ take values, respectively. Hence, we can write 



(1) 



from which we can see that Xn and y„ are also random variables. The joint probability distribution Px„y„ of X„ 
and Yn is induced from (1). The shares Xn and Yn are distributed securely to participants 1 and 2, respectively. 

Next, consider a situation where an opponent may impersonate one of the two participants. When the opponent 
impersonates participant 1, the opponent behaves as if he/she were a participant 1 by injecting a forged share 
Xn G Xn instead of Xn- This attack is regarded as successful if a decoder fails to detect impersonation attacks 
and outputs an element of 5" from Xn and Yn- Here, we assume that the opponent generates X„ without using 
Xn- According to [10], [14]-[16], such attack is called impersonation attack as opposed to substitution attack. 
Similarly, in the case of deceiving participant 1, the opponent forges a share y„ without using Yn, and tries to 
impersonate participant 2. In this case, the attack succeeds when the decoder outputs an element of 5" from Xn 
and Yn- Summarizing, letting Xn and Yn be the inputs to a decoder, the following three cases must be considered: 



A decoder is defined as a deterministic map -0„ : x — > 5" U {_L}, where _L is a symbol to declare the 
detection of an impersonated attack, i.e., (a1) or (a2). We note here that the decoder cannot know in advance 
which one of (a0)-(a2) actually occurs. On the other hand, we assume that the opponent knows everything about 
the encoder and the decoder except for realizations of S"", t/„,X„ and y„. 

In this situation, we define success probabilities of impersonation attacks. Let An C Xn x 3^„ be the region that 
the decoder ?/;„ accepts the pair of shares (X„, Yn) and outputs an element of 5", i.e.. 



Now, recall that the impersonation attack succeeds if the decoder outputs an element of 5" when one of (a1 ) and 
(a2) occurs. In the case of (a1 ), i.e., the opponent impersonates participant 1, we note that he/she generates a forged 
share Xn according to a probability distribution Pj^ independently from 5*", L/„, X„, and Yn- In addition, the 
opponent tries to optimize so that {Xn,Yn) can be accepted by the decoder with the maximum probability. 
This motivates us to define a success probability to impersonate participant 1 by 



where the maximization of P-j^ is taken over all probability distributions on Xn, and Pr{ } means the probability 
with respect to the (joint) probability distribution of random variable(s) between the parentheses, i.e., ~ 
Fy y ^ ^Yr, ill this case. Similarly, the maximum success probability for the impersonation to participant 2 
can be defined as 



(aO) {Xn,Yn) = [Xn.Yn) 
(a1) {Xn,Yn) = (Xn,Yn) 
(a2) {Xn,Yn)^{Xn,Yn) 



An = {{Xn,V7i) & XnX 3^,1 : 1pn{Xn,yn) & S"} - 



(2) 




maxPr{(X„,y„) G An] 



(3) 



P,f =maxPr{(X„,y„) G An} 



(4) 



Y 
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where Pr{-} is taken with respect to F„) ^ y = Pxr^Py ■ 

The decoding error occurs when S" is not correctly decoded from legitimate shares in the case of (aO). Hence, 
the decoding error probability can be written as 

p,: = Pi{MMS",Un)) ^ s"}. (5) 

It is easy to see that if (a-„, y„) ^ An, then ■0„(a;„, = -L ^ 5". Hence, we have 

P,^>Pr{(X„,y„)^A^} (6) 

for any pair of an encoder cpn and a decoder ipn- 

Now, we can define a (2, 2)-threshold scheme in an asymptotic setup as follows: 

Definition 1: We say that a sequence {("^n, '/'n)}i^i of an encoder ipn and a decoder -^n asymptotically realizes 
a (2, 2)-threshold scheme if it satisfies 

lim = (7) 

and 

lim lim -/(^";y„) = (8) 

n— foo 77, n— foo 77 

where /(•;•) denotes the mutual information. 

The condition (7) guarantees that the decoding error probability is negligible if the blocklength ?7 is sufficiently 
large. Note that Fano's inequality [23, Theorem 2.10.1] tells us that 

^77(5"|X„r„) < i;7(P,:) + P„^ log \S\ (9) 

where log(-) = log2(-) throughout the paper, and H{-\-) and h{-) are the conditional and the binary entropies, 
respectively. Hence, if (7) is satisfied, then we have 

lim -H{S'^\XnYn) = (10) 

n— >oo 77 

due to the non-negativity of the conditional entropy. On the other hand, the condition (8) ensures that S'" is secure 
against the leakage from one of X„ and Yn if n is sufficiently large. That is, S*" and either one of the shares are 
almost independent under such a condition. We also note that, since 5" is generated from a memoryless source, 
(8) implies that 

lim -i7(S'"|X„) =: lim -H{S'^\Yn)^ H{S) (11) 

n— voo 77 n— foo 77 

where H{-) denotes the entropy. 

We conclude this section with introducing a notion of correlation level. The mutual information of two shares 
plays a crucial role in detecting impersonation attacks, which will be clarified in the following sections. 
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Definition 2: Let {(X„,F„)}5^j be a pair of shares generated by a sequence of encoders {vnl^^Li- Then, a 
non-negative number £ is said to be a correlation level of {(X„, F„)}^q if it holds that 

lim -I{Xrr,Yn) = £. (12) 

In particular, if a sequence {{'Pn,ipn)}^=i of an encoder (pn and a decoder ■(/;„ satisfies Definition 1 and the sequence 
of shares {(X„, F„)}5^g generated from {</?n}^i satisfies (12), we say that {{(pn,i'n)}^^i asymptotically reaUzes 
a (2, 2)-threshold scheme with correlation level £. 

Remark 1: Note that the sequence {/(X„; l^ri)/"}^^i ™ (12) does not have a limit in general if {(X„, l^„)}^i 
is generated by an arbitrary sequence of encoders {^Pn}'^=i- Hence, (12) actually requires the existence of the limit 
for the sequence {I{Xn;Y„)/n]'^^i, and the limit equals to £. 

III. Coding Theorems for a (2, 2)-Threshold Scheme with Detectability of Impersonation 

Attacks 

In this section, we give coding theorems for {{fm V'n)}J5^i that asymptotically realizes a (2, 2)-threshold scheme 
with correlation level t. We are interested in not only the rates of X„, y„ and [/„ but also the exponents of P.^ 
and of the sequence {{ifnT4'n)}'^=i- The following theorem is the converse part of the coding theorem with 
respect to such rates and exponents. 

Theorem 1: For any sequence {{fm ^n)}5^Li of an encoder iy9„ and a decoder ipn that asymptotically realizes a 
(2, 2)-threshold scheme with correlation level £, it holds that 

liminf - log \X„\ > H{S) + £ (13) 

71— J-OO Tl 

liminf - log |3^„| > H{S) + £ (14) 

n— >oo 11 

liminf i log |Z^„ I > i7(S') +^ (15) 

n— f oo 12 

and 

limsupmax j-- logP,f , -- logP,f I < £. (16) 
n^oo I n n } 

Theorem 1 is proved in Section IV-A. Theorem 1 tells us that for an arbitrarily small 7 > the rates of X„, 
Yn and [/„ cannot be less than H{S) +£ — j for all sufficiently large n, where £ is an arbitrarily given correlation 
level. In fact, by noticing that H{S) + £ > H{S) for any £ > 0, the bounds on the right hand sides of (13)-(15) 
coincide with the bounds in [12, Theorem 1] for (2, 2)-threshold schemes when £ ^ 0. Theorem 1 also indicates 
that the correlation level of shares is an upper bound on the exponents of P^ and P^ . 

The direct part of the coding theorem corresponding to Theorem 1 is as follows: 
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Theorem 2: For an arbitrarily given non-negative number £ > 0, there exists a sequence {(<p*i, V'n)}ri^i of 
an encoder (p* and a decoder V^* that asymptotically realizes a (2, 2)-threshold scheme with correlation level £ 
satisfying 

limsup - log lA-nl < i?(S') + £ (17) 

limsup i log |3^„ I < iJ(S') +f (18) 

limsup - log \Un\ < H{S) + i (19) 

n— >oo ^ 



and 



lim inf min <j - - log P,f , - - log } > £■ (20) 



In particular, the above {{'fini '^n)}n'=i ^1^° satisfies 

I{S'" ; X„) = /(S""; Y„) = for all n > 1 (21) 
which is stronger than the condition in (8). 

The proof of Theorem 2 is given in Section IV-B. 

Remark 2: Theorem 1 guarantees that {(vj^jj '0n)}n^i Theorem 2 attains the minimum rates of X„, y„, and 
U„, and the maximum exponents of P.^ and P^ . Furthermore, the limits exist for these rates and exponents, i.e., 
it holds that 

lim - log \X„\ = lim - log \y„\ = lim - log |ZY„| = H{S) + i (22) 

n—>oo Jl n— >oo Ji n— J-oo 77, 



and 



lim --logP^= lim -^-logP,f =1 (23) 



IV. Proofs of Theorems 1 and 2 

This section is devoted to the proofs of Theorems 1 and 2. In the proof of Theorem 1, we use a relationship between 
hypothesis testing and the (2, 2)-threshold scheme with detectability of impersonation attacks with correlation level 
i, which originates from [16] and developed by [14], [15]. 
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A. Proof of Theorem 1 

Fix £ > arbitrarily. We first prove (13). From the basic properties of the entropy and the mutual information, 
it holds that 

H{Xn) = I{Xn;Yn) + H{Xn\Yn) 

> I{Xn;Yn) + H{Xn\Yn) ~ F(X„|y„5") 
= I{Xn;Yn) + IiXn;S"\Yn) 

= /(X„; r„) + i/(5"|y„) - i7(5"|X„y„). (24) 

Hence, (13) is established because 

liminf - log |A'„| > liminf -H{Xn) 

n—>oo Jl n~>oo ji 

> liminf -I{Xn;Yn) + liminf -H{S"\Yn) - limsup -H{S"\XnY„) 

= e + H{S) (25) 

where the last inequality and the equality are due to (24) and (10)-(12), respectively. We can establish (14) in 
essentially the same way. 

Next, we prove (15). Since the encoder ipn is deterministic for each n > 1, we have 

= nH{S)+H{Un) (26) 

for all 71 > 1, where the equaUty follows because 5" is independent of C/„ and is generated from a memoryless 
source. On the other hand, recalling that 

H{X„Ya) = H{X^) + H{Y„) - /(X„; Y„) (27) 



it follows from (26) and (27) that 



-log \U„\ = -H{U„) 
n n 

> -i/(x„r„) - H{S) 

n 

> -{H{X,,) + H{Y^) - I{Xn; - H{S) (28) 
n 

for all n > 1, where the first equality follows from the uniformity of Un G Un- Therefore, we have 
liminf - log \Un\ > liminf -H{Xn) + liminf -H{Yn) - limsup i/(X„; r„) - H{S) 

ri-i-oo 71 7i->oo n n^oo 71 jn-oo n 

> H{S) + i (29) 

where the last inequality follows from (12) and (25). Note that we have liminf „_j.oo H{Yn) > H{S) + ^ in the 
same way as (25). 
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To prove (16), we use the fact that the decoding error probability and the success probabilities of impersonation 
attack in a (2, 2)-threshold scheme with correlation level I are closely related to the error probabiUties of the first 
kind and the second kind in hypothesis testing, respectively, which is pointed out in [14]-[16]. Let us consider a 
simple hypothesis test with the following two hypotheses: 

i/o: (X„,y„)~Px„F„ (30) 
ifi : (l„,f„)~Px„Py„. (31) 

Let An C Xn X Xi denote an acceptance region for the null hypothesis Hq. Then, the error probability of the first 
kind and the error probability of the second kind of the above hypothesis testing are given by 

a„= ^x„y„(a;„,2/„) = Pr{(X„,y„) ^ A.} (32) 

/3„- PxA^n)PYAyn) (33) 

where denotes the complement set of An- It is easy to see from (6) that > an holds for any n > 1. Hence, 
in view of (7), we have 



lim a„ = 0. (34) 

Furthermore, it follows from (3) that 

P,f =maxPr{(X„,y„) e A.} 

max Y Px„ixn)PY„iyn) 

> /?„. (35) 

Similarly, we also have > /3„. Therefore, it holds that 

- - log /3„ > max \--logP^,-- log Pj I for all n > 1 . (36) 
n I n 71 J 

According to [24, Theorem 4.4.1] and [14, Theorem 2], we have 



n ^ M Px„Y„iXn,yn) , o / Px„Y„{Xn,yn) 

2^ Px„ Y„[X„,y„) log — — + > Px„ Y„{Xn, yn log 

, PxAXn)PYAyn) . ,^ -Px„ (a^n Py„ (yn 



Px^YSXn,yn) 
PxAXn)PYjyn) 



\X J T.A,.PxAXn)PY,Syn) j 

= (1 - an) log ^ + an log 

= -/i(q;„) - (1 - an) log^„ - Q;„log(l - 

> -/i(a„)- (l-a„)log/3„ (37) 
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where the first inequality follows from the log sum inequality, and the second inequality holds because —an log(l — 
Pn) > 0. Hence, it follows from (36) and (37) that 

^-/(X„;y„)>-^^^^ + (l-a„)max(--logP,f,-ilogF,fl for all n > 1. (38) 



l\og—±—~HiS) 
n r's^is ) 



n n ^ 

Therefore, we have (16) by taking the limit superior of both sides of (38) and noticing (34). □ 

Remark 3: The claim of Theorem 1 can be easily extended to the case where 5" is generated from a stationary 
source. For the case of the stationary source, the entropy H{S) in the statement of Theorem 1 is replaced with 

def 

the entropy rate H = Ihiin^^ H{S^^)/n. By recalling the existence of the limit of {H{S")/n}'^^^ [23, Theorem 
4.2.1], we can easily check that both the left hand sides of (25) and (29) are bounded by H + £. 

B. Proof of Theorem 2 

We choose arbitrarily a sequence {7n}^i of positive numbers that satisfies lim„^oo In ~ and lim„_i.oo \pn^n = 
oo. Let Ty„ be the typical set defined by 

<7n}- (39) 
Then, it is well-known that (e.g., see [23, Theorem 3.1.2]) Ty^ satisfies the following properties: 

lim PiiS" eTyJ = l (40) 

n— >-oo 

\T-y„ I < 2"{^(^)+^"> for all n > 1. (41) 

def def 

For an arbitrary £ > 0, let Cn ~ {0, 1, . . . , — 1} and M.^ — {0, 1, ■ • ■ , — 1} be sets of integers where 
L,/=I'L2"'J andAf,/=i'|r7J- 

In the following, we construct a sequence {("ys^ , "^r*)}^! of an encoder (^9* and a decoder ij}^ that asymptotically 
realizes a (2, 2)-threshold scheme with correlation level I satisfying \X.n\ — |3^ri| = \l^n\ — Ln{Mn + 1). 

The encoder (^* can be constructed as follows: Since A/„ = |7^,J, there exists a bijection ^„ : 7^^ Mn- 
Furthermore, define a map ^+ : 5" ^ X+ where X+ = Mn U {A/„} by 

^i{sn=l (42) 
I AIn , Otherwise 

and let Z„ ^^(S""). Denote by and U;/^ the random variables subject to the uniform distribution on £„ and 
respectively, and define [/„ = (C/,f , U^). In addition, we define two shares by 

Xn = {x^, x^) = {u,t Zn e u,"^) e £„ x M+ (43) 
r„ = (C/f,C/,f ) ££„ x7W+ (44) 

where Q represents the subtraction of modulo A/„ + 1. 

Next, let us define the decoder ip^. Let x„ ~ {xfi,x^) G £„ x and ?/„ = (2/^,J/rt^) <E x be the 
inputs to the decoder Then, the decoder first checks whether = holds or not. If x^ ^ y^, the decoder 
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judges that impersonation attack has occurred and outputs _L. On the other hand, if = y^, the decoder computes 
ffi 2/^; where denotes the addition of modulo A/„ + 1. If © ~ Af„, the decoder outputs _L since the 
decoding error occurs in such a case. Otherwise, the decoder outputs CrV^C^^^ © ?/^) where : A4„ 7^„ is 
the inverse map of Summarizing, the decoder ^* is written as 



^-Hx^®y^), if and © 2/;^ ^ are satisfied 

tPn{Xn,yn)^\ (45) 

_L, otherwise 
and the acceptance region of V'j^J is given by 

Ai = {{x„, y„) e X y„ : x^ = y,f and x^ ® y,-^ G 7W„}. (46) 

Hereafter, we prove that the above sequence {(vj^jj V'n)}??^! reaUzes the optimal (2, 2)-threshold scheme with 
correlation level £ that asymptotically attains all the bounds in (17)-(20). It suffices to prove Claims 1-5 below. 

Claim 1: For an arbitrarily small 7 > 0, the rates of X„, Yn and [/„ cannot be less than H{S) + £ — 7 for all 
sufficiently large n, i.e., (17)-(19) hold. 

Claim 2: The limit inferior of the minimum exponent in the success probabilities of impersonation attacks is at 
least e, i.e., (20) holds. 

Claim 3: The decoding error probability for the legitimate shares vanishes as n goes to infinity, i.e., (7) holds. 

Claim 4: For all n > 1, the n source outputs 5" are secure against the leakage from one of Xn and Yn, i.e., 
(21) holds. 

Claim 5: The correlation level between X„ and Yn equals to i, i.e., (12) holds. 

Proof of Claim 1: In order to evaluate the share rates and the randomness given by (17)-(19), observe that 

loglA-™! =l0g|3^„| =log \Un\ 
= \0g{Ln{Mn + 1)} 

= iog{L2"^j(ir,j + i)} 

< n{H{S) + ^ + 7n} + 1 (47) 
where the last inequality follows from (41). Hence, it holds that 

- log \Xn\^- log |3^„| = - log \Un\ < H{S) +£ + Jn + -- (48) 

n n n n 

Taking the limit superior of both sides in (48), Claim 1 is established. □ 
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Proof of Claim 2: We evaluate in the following way: 

= maxPr{(X„,y„) G An] 

= maxPr {xf = Y,f and ® G | 

< m^xPr {Xf = r„^} = maxPr {Xf = C/,f } 

= max ^ P-^r(a;^)Pc7c(a;f) 



= — max 2^ - 



(49) 



where X„ = (xf , X;^) e £„ x and Y„ = (i;f , F.^") = (L/,f , t/^f^) e £„ x X+, and the marked equahties 
follow from the following reasons: 

(a) X„ and are independent. 

(b) Pijl{x^^) = 1/Ln holds for all G £„. 

Similarly, noticing the fact that = C/,f , we also have P^ < 1/L„, and therefore, we conclude that 

lim inf min | - ^ log , - ^ log P^ \ > lim inf ^ log L„ = f . (50) 

□ 

Proof of Claim 3: Since every legitimate pair {xmUn) € of shares is decoded by i^* without error, the 
decoding error happens only if the decoder outputs ± for a pair of legitimate shares {xmUn)- Hence, the 
decoding error probability P^ can be written as 

p„^ = Pr{V':(x„,y„) =1} 

= Pr{e(5")=M„} 
= Pr{5"^r^„}. 

Therefore, it follows from (40) that lim,woo P,i = 1 - lim„^oo Pr{S'" S Tt.„} = 0. □ 

Proof of Claim 4: First, we note that Z„ and ~ Zn Q are independent because of non-negativity of 
the mutual information and 

/(Z„; Zn e U^) = H{Zn) + H{Zn G U^) - H{Zn, Z„ G C/,f ) 

= HiZn) + H{Zn G U^) - H{Zn, U^) 

= H(ZnQU^)-H{U^) 

<0 (51) 
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where the last inequality holds because Z„ G U:^ G and U,^ is subject to the uniform distribution on A^+. 
Hence, Z„ and X„ ~ {X^ , ) are also independent because 

I{Zn',Xn) = I{Zn; X^X:^) 

= I{Z,,;X^) + IiZ„;X^\X^) 

= (52) 

where the last equality follows since /(Z„; 0, and Z„, X,^, and X,f form a Markov chain in this order. 

In order to show (21), it is sufficient to prove that /(5'";X„) = for all n > 1 because 7(5"; y„) = for 
any ?? > 1 trivially holds from the fact that 5*" and y„ ~ {U^, U^) are independent. In addition, I{Sn; Xn) = 
is established from 1(5"; X„) < /(Z„;X„) = which is obtained by the information processing inequality [23, 
Theorem 2.8.1] for a Markov chain S'n — > Z„ Xn, and recalhng (52). □ 

Proof of Claim 5: The correlation level can be evaluated as follows. Note that the mutual information of shares 
Xn and Yn satisfies 

nXn;Yn) ^ 1{X^X^-Y^Y::^) 
^ IiU,^X^;U^U^) 

= HiU.^X^) H{X^\U.^U^) H{U^\X^U^U^) 

HiU^) + H{X^) - H{Zn) (53) 
where the marked equalities hold because of the following reasons: 

(c) Un and X^ are independent, and [/,f , U^, and X^ form a Markov chain in this order. 

(d) It follows that H{X^\U^) = H (Z„ e U^\U{;^) = H {Zn\U^) = H (Zn) due to the independence of 
S*" and Un- 

Hereafter, we evaluate the terms on the right hand side of (53). It is easy to see that 

if([/,f)-logL„ = logL2"^J. (54) 
The second term in the right hand side of (53) can be evaluated as 

HiX^)<\ogiMn + l) 

= iog(|r^J + i) 

<n{H{S)+^n} + l (55) 

where the last inequaUty follows from (41). In order to evaluate the last term on the right hand side of (53), we set 
= PrlC+CS*") = M„} = Pr{5" ^ TjJ. Clearly, lim„^oo = from (40). Since the map C„ : Tj„ ^ Mn is 
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bijective, we have 

ff(z.J = ff(C(S")) 

> ^ Ps"(s"M-ff(5)-7„}-<5„log(5„ 

= (1 - S„)n{HiS) - 7n} - log <5„ (56) 

where the inequality holds because of (41). Hence, we have from (55) and (56) that 

H{X^) ~ H{Zn) < nSnHiS) + n(2 - (5„)7„ + (5„ log5„ + 1. (57) 

On the other hand, it is easy to see with the same reason for the equality (d) in (53) that 

H{X^) - > H{X^\U^) - i/(Z„) = 0. (58) 

Summarizing, we have from (53), (54), (57), and (58) that 

- logL2"'j < -/(X„; r„) < - logL2"'j + 6r,H{S) + (2 - S^hn + - {Sn log <5„ + 1) . (59) 
n n n n 

By taking the limit of both sides of (59) and noticing that lim„_^oo 7?i = linin^oo = 0, we have 

lim -IiX„;Y,,) = i. (60) 

□ 

Since Claims 1-5 are verified. Theorem 2 is proved. □ 
Remark 4: The claim of Theorem 2 is valid for the class of stationary ergodic sources if the entropy H{S) in 

def 

Theorem 2 is replaced with the entropy rate H = lim„^oo H{S^)/n. This fact is obtained by a slight modification 
of the proof of Theorem 2 followed by the diagonal line argument [25, Theorem 1.8.2]. First, by the asymptotic 
equipartition property [23, Theorem 3.1.2], we have 

lim PrlS*" (^Tn-y}^l (61) 

n— >oo ' 

for any constant 7 > 0, where 

< 7 \ (62) 



- log 5-— - H 

and H denotes the entropy rate of the source. We construct an encoder (p* ^ and a decoder ?/;* ^ in the same way as 
in the proof of Theorem 2. It is easily checked that {{fl^ ^, ipn ■~f)}'^=i asymptotically realizes the (2, 2)-threshold 
scheme. In addition, by the same argument with (48) and (59), {{^p^ -yi^n 'y)}^=i satisfies 

- log \Xn\-^- log \yn\ ^-l0g\U„\<H + e + J+- (63) 

n n n n 



and 



- \og[T'\ < -/(X„; r„) < - logL2"^J + 5n,^H + (2 - Sn.^h + -(<5„,^ log(S„.^ + 1) (64) 
n n n n 
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def 

where Sn^-^ = PrlS*" ^ 7^1,7} — > as n 00. Note that (64) impHes that 



< 37 for all n > Nq{j). 



(65) 



We now fix a sequence {7m}m=i satisfying 70 > 71 > • • • > 7m > • • • > arbitrarily and define A'o = 
1 and Nm, m = 1,2,..., as the minimum integer N satisfying |/(X„;F„)/n — £| < 87™ for all n > N. 
Obviously, {^m}m=i is monotone nondecreasing. We define (1^9* , as ((^* , -0* ) for each 1 < n < iVi and 

(v?* V'j^ for each iV™ < n < N,n+i, m = 1,2, Then, in view of (63), (65) and 7„i | as m 00, we 

can conclude that {{VnT'^n)}n'=i satisfies 



lim sup — log \Xn\ = lim sup — log |3^„ | = lim sup — log \Un \ < H + £ 



(66) 



and 



lim -/(X„;F„) 

n— >oo 7), 



(67) 



V. Another Optimal Scheme Using Symbolwise Encoding 

In Section III, we have shown by using blockwise coding that the sequence {(Vru V'r* )}^i of an encoder 
and a decoder realizes the asymptotically optimal (2, 2)-threshold scheme with correlation level £. In addition, 
{((/?*, 1/^*)}^]^ also attains the maximum exponent in the success probabilities of impersonation attack which is 
given by £. In this section, by using a symbolwise encoding, we give a simple construction of , that 
realizes the asymptotically optimal (2, 2)-threshold scheme with correlation level £ and the exponent in the success 
probabihty of impersonation attacks equals to £. In this construction, we use a pair (/, g) of an encoder / and a 
decoder g for a (2, 2)-threshold scheme for a single source output S. In addition, a one-sided test is used to detect 
the impersonation attacks. 

Let S, U, X and Y be random variables of a secret, a random number, and two shares taking values in finite 
sets S,U,X and y respectively. For a non-negative number £, we first define a pair (/,(?) of an encoder / and 
a decoder g for a (2, 2)-threshold scheme with correlation level £. That is, the encoder f : S y. U ^ X y. y \s 
defined to be a deterministic map satisfying 

H{S\X) = H{S\Y) = H{S) (68) 

H{S\XY) = (69) 

in addition to 

I{X;Y)=£ (70) 

where shares X and Y are determined by {X, Y) = f{S, U). Note that (68) and (69) are the ordinary requirements 
for (2, 2)-threshold schemes, i.e., (68) guarantees that any information of S does not leak from either one of the 
shares, and (69) implies that the secret S can be decoded from X and Y without error. Hence, let 5 : Xxy ^ SU{X} 
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be a decoder corresponding to / and satisfying g{x, y) = \ for every {x,y) E X x y that does not belong to the 
range of /. Furthermore, (70) means that the correlation level of X and Y generated by the encoder / is equal to 
£. We say that a pair (/, 5) of an encoder / and a decoder g realizes a (2, 2)-threshold scheme with correlation 
level £ in the non-asymptotic sense if (/, g) satisfies (68)-(70). In addition, it is shown in [26] that 

mm{\Xl\yl\U\}>\S\ (71) 

must be satisfied for any encoder of (2, 2)-threshold schemes satisfying (68) and (69). Hence, we also impose (71) 
on / in addition to (68)-(70). 

In this setting, we define an encoder (^* : S"^ x W X"^ x 3^" as the repeated application oi ^ : S y.U ^ X Y.y 
to (Si, Ui), i = 1,2, ... ,n, which can be written as 

W") f{s,,U,)f{s2, W2) • • • f{Sn, (72) 
def def 

where s" = siS2 • • • Sn G 5" and u" = uiU2 ■ ■ - Un € are n secrets and n random numbers, respectively. 
Hence, the two shares X" = X1X2 ■ ■ ■ X^ e X'' and F" = Y1Y2 • • • r„ G 3^" are i.i.d. copies of X and Y, 
respectively, where {Xi,Yi) = f{Si,U^). 
Furthermore, we define 

= {(^", r) eX-.y-:'- log p^:^Xpr%) " - A '''' 

where 7„ is an arbitrary sequence of positive integers {7n}5^Li satisfying lim„_^oo 7n = and lim„_^oo v^7n — 
Then, legitimate shares belong to with high probability if n is sufficiently large since 

lim Pr{(X",y") e yi;} = 1 (74) 

holds from the law of large numbers. Hence, we regard the received shares as legitimate if they belong to A^, and 
decode them by the decoder g„ corresponding to the encoder in (72), where g„ can be written as 

9nix"',y") = g{xi,yi)g{x2,y2) ■ ■■g{xn,yn)- (75) 
In addition, the decoder V'*^ : X"- x — )• 5" U {±} is defined by 

f g„(a;",w"), if e A* 

= <^ ^"^ ^' ^ ' " (76) 

I _L, otherwise 
where _L means that the impersonation attack, i.e., (a1 ) or (a2) in Section II, is detected. 

According to (74), every (a;",?/") e ^* satisfies PA'"y" (a;", y") > 0, which is equivalent to PxY{xi,yi) > 0, 
i.e., g{xi,yi) 7^ A, for all i = l,2,...,n. Hence, for every (a;",?/") e A*^, there uniquely exists s" e 5" that 
satisfies gn{x'^,y'^) = s" whether the received shares x" and y" are legitimate or not. Furthermore, if the pair of 
shares (x", y") G A^ is legitimate, the secret is reproduced without error due to the definitions of / and (p* . More 
precisely, = (7„(a;",y") = s" holds for every u" g U^^, s" e 5", a;" S A"" and y" e 3^" satisfying 
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The above sequence {("ys^, defined by (72) and (76) realizes an asymptotic (2, 2)-threshold scheme 

with correlation level ^. 

Theorem 3: Let (/, .g) be any pair of an encoder and a decoder that realizes a (2, 2) -threshold scheme with 
correlation level £ in the non-asymptotic sense. Then, the sequence , defined by (72) and (76) satisfies 

for all n > 1 that 

P^=Pr{(X",y")^A:} (77) 
= = H{S") (78) 

I{X";Y")=ne (79) 

which obviously realizes an asymptotic (2, 2)-threshold scheme with correlation level £. In addition, this {((^s* , V'n)}™^! 
satisfies (20). 

Proof of Theorem 3: First, we prove (77). If there is a one-to-one correspondence between (s", w") and (x", y"), 
(77) is obvious. We show that (77) holds for any pair of / and g satisfying (68) and (69) which does not guarantee 
the existence of such a one-to-one correspondence. 

Define 

- {(.s",..") : = (z",y") and V:(2;",y") = s"}- (80) 

RecalHng that ^p^{x^,y") = g„(x",y") = s" for every u" e Z^", s" e 5", x" G Af" and y" e 3^" satisfying 
(^;(s",ti") = (x",?/") e A*„, it holds for all (x",?/") G that 

2?„(x",y") = : ^'^(s","") = (^",2/") and g„(x",y") = s"} 

= {(s",^x"):^:(s",u") = (x",2/")} 

'^'^:-^(x",2/") (81) 

where (^* ^^(x", y") means the inverse image of (x",j/"). 
Next, we define 

V„ = {{s^\u-) : = (82) 

Then, since ?/;*(x",y") =_L for all (x",y") ^ .4* and s" is reproduced without error from every (x",y") € .4*, 
we have 

= u ^:r'(x",y") (83) 

where the second equality follows from (81). Furthermore, since 93* is deterministic, it is easy to see that 

<-^(x",2/") n ^ for all (x",2/") ^ (84) 
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From (83) and (84), it is shown that {ip^ ^ (2;", 2/")}(i:",y")g^* is a partition of 2?„. Therefore, we have 

(s",u")6D„ 

= Pr{(X",y") eyt;} (85) 

where the first equaUty comes from the definition of the decoding error probability and the third equality is due 
to the definition of ■), i.e., Px-y- (a;", y") = E(,s",«")e5"xW":v- (^",«")=(:r",y") Ps-b- (s", u"). Hence, 

we obtain (77). It is easy to see from (74) that P^ satisfies (7) i.e., the decoding error probability of i/j^ in (76) 
vanishes as n goes to infinity. 

In order to establish Theorem 3, it remains to show that {{'Pn,ipn)}n'=i satisfies (20). Note that (78) and (79) 
clearly hold from (68) and (70), respectively. To this end, we evaluate the success probability of the impersonation 
attack as follows: 

P„^=maxPr{(X",r")€^:} 

= max E PxA^nPrAvn 

<max V P^„(a;")^^:21&^2-"(^--") 
- P^r, ^ Px" a;" 

= 2-"(^-T") (86) 
where the first inequality follows from (73) which implies 

P^„(y"] < -P-y"y"(^"'^") o-»f/(X;y)-7„} 

= '^"rf:r^ 2-(^-^-) (87) 

for any (x",?/") G Similarly, we have < 2^'^^^~^"\ Hence, we obtain (20) since lim„_j.(xj 7„ = 0. □ 
Since Theorem 3 has been proved, we are now interested in a relation between the share rates and the correlation 
level attained by a pair (/, g) of an encoder / and a decoder g, which is given by the following claim: 

Claim 6: Let AI and Ms be arbitrary positive integers satisfying M > Ms- Then, there exists a pair {f*,g*) 
of an encoder /* and a decoder g* for a (2, 2)-threshold scheme with correlation level £ = log M — H{S) in the 
non-asymptotic sense satisfying \X\ — \y\ — \U\ — M and |iS| = Ms. 
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Remark 5: According to Claim 6, the rates of shares and randomness are log | A'j = log |3^| = log \U\ = log M = 
H{S)~£, which coincides with the lower bounds of the rates given by (17)-(19). Hence, the sequence {{fnii'n)}^=i 
defined by (72) and (76) also achieves all the bounds in Theorem 2. Observe that the sequence of encoders {Vnlr^Li 
in this section is simpler than the the sequence of encoders presented in Theorems 2. For instance, S*" cannot be 
encoded symbolwisely by the sequence of encoders in the proof of Theorem 2 since the correlation of two shares 
is generated by the random variable [/,f in both shares contained in common. On the other hand, symbolwise 
encoding is possible by the sequence of encoders in this section since Xi and Yi are correlated due to / for every 
i = 1,2, ... ,n. Furthermore, such symbolwise encoding also enables us that I{Si; Xj) = I{Si; Yi) = for every 
i = 1,2, . . . ,n, which is stronger than the security condition given by (21) in Theorem 2. 

However, we note that M, Ms and the correlation level t cannot be set arbitrarily in Claim 6 although they can 
be taken arbitrarily in Theorem 2, which is compensation for the simplicity. 

Remark 6: In the threshold scheme with detectability of substitution attacks in a non-asymptotic setup (e.g., 
[3]-[8]), it is shown that any ideal secret sharing scheme cannot detect any forgery of shares with probability 1. 
Furthermore, as is shown in [26], we note that the ideal secret sharing schemes can be realized if and only if 
\X\ = |3^| = \S\ and S is uniformly distributed. 

Similarly, in the asymptotic setup discussed in this section, it is impossible for any {f,g) of an ideal (2,2)- 
threshold scheme to achieve and with exponential order of n because the correlation level log M—H{S) = 
is satisfied if and only if A/ = |5| and S is uniformly distributed. On the other hand, we note that £ is positive for 
arbitrary distribution of S if min{ jA'], |3^|, \U\ } > \S\. □ 

Proof of Claim 6: From (71), let us define 

X =U = {Q,1,...,M -1} (88) 
5 = {0,l,...,Ms-l} (89) 
where M > Ms- Define the encoder /* : S xU ^ X x y for a secret s G S and a random number u gU as 

f*{s,u) = {seu,u) (90) 

where denotes the subtraction of modulo M. Then, the corresponding decoder g* : X x y ^ S U {A} can be 
written as 

fx©?/, if x®yeS 
9*{x,y) = l (91) 
I A, otherwise 

where © represents the addition of modulo M. Note that the secret s can be decoded by g* without error, and 
hence, (69) is satisfied. Furthermore, we can check that a pair of the shares {X, Y) is generated according to the 
conditional probability distribution 

, 1 /M, if s = x®y €S 
PxY\s{x,y\s) ^ { (92) 
0, otherwise 
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if we apply the encoder /* defined in (90) to the secret S with an arbitrary probability distribution Ps{')- Hence, 
the following discussion holds for an arbitrary distribution on S. This idea is based on the secret sharing scheme 
for non-uniform secret distribution studied in [26]. 

We show that (68) is satisfied by X and Y generated by /*. For every fixed x G X and s G 5, we can check 
that there exists a unique y Ey, satisfying s = g*{x,y). Hence, it holds from (92) that 

Px\s{x\s) = PxY\s{x,y\s) 
yey 

- i ^''^ 

for every (x, s) G X x S. Then, we have 

ses 

- w ^''^ 

From (93) and (94), it is shown that S and X are statistically independent. Similarly, it can be shown that S and 
Y are statistically independent, and hence, (68) is proved. 

The correlation level of X and Y generated by /* can be calculated as follows. We note that 

H{XY) =' H{US) 

= H{U) + H{S) 

= log M + H{S) (95) 

where the marked equalities (e) and (f) hold since 

(e) there exists a bijection between U x S and X x y. 

(f) U and S are statistically independent. 
Therefore, we obtain from (94) and (95) that 

/(X; Y) = H{X) + H{Y) - H{XY) 
= 2 log M - {log M + H{S)} 

= log M - H{S). (96) 

Hence, it is shown that the pair {,f*,g*) of the encoder and the decoder actually realizes a (2, 2)-threshold scheme 
with correlation level log A/ — H{S). □ 

VL Conclusion 

This paper is concerned with coding theorems for a (2, 2)-threshold scheme in the presence of an opponent who 
impersonates one of the participants. We have considered an asymptotic setup of the (2, 2)-threshold scheme in 
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which n secrets from a memoryless source are encoded to two shares by using a uniform random number, and the 
two shares are decoded to the n secrets with permitting negligible decoding error probability. We have investigated 
the minimum attainable rates of the two shares and the uniform random number, and the maximum exponents of 
the probabilities of the successful impersonation from a Shannon-theoretic viewpoint. We have presented coding 
theorems for two cases of encoding, i.e., blockwise and symbolwise encoding. 

In the first case, we have considered the situation where the n secrets are encoded blockwisely to two shares. We 
have defined the correlation level £ > of the shares as the limit of the normalized mutual information between 
the two shares. In the converse part it is shown that for any sequence {{'Pn,ipn)}^=i of pairs of an encoder ipn 
and a decoder ipn that asymptotically realizes a (2, 2)-threshold scheme with the correlation level £, none of the 
rates can be less than H{S) +£, where H{S) denotes the entropy of the source, and the exponent of the probability 
of the successful impersonation cannot be less than £. In addition, we have shown the existence of a sequence 
, of pairs of an encoder (^,* and a decoder ijj^ that attains all the bounds given in the converse part. 
The obtained results can be easily extended to the case where the n secrets are generated from a stationary ergodic 
source. 

In the second case, we have considered the situation where the n secrets are encoded symbolwisely to two shares 
of length n by repeatedly applying the encoder of an ordinary (2, 2)-threshold scheme to the n secrets. While 
the above converse part is valid in this setup, we can give another interesting decoder in the direct part. That is, 
we have shown that the impersonation by an opponent can be verified with probability close to one by verifying 
the joint typicality of the two shares. It turns out that these encoder and decoder also attain all the bounds in the 
converse part. 
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